The patches for this are now available (Solaris 8 has been available for awhile, Solaris 2.6 patch just came out). I haven't been notified by the usual channels, so I'd thought I'd send this out. Dave Foster > > NSFOCUS Security Advisory(SA2001-05) > > Topic: Solaris Xlock Heap Overflow Vulnerability > > Release Date£º 2001-08-10 > > CVE CAN ID : CAN-2001-0652 > BUGTRAQ ID : 3160 > > Affected system: > ================ > > Sun Solaris 2.6 (SPARC/x86) > Sun Solaris 7 (SPARC/x86) > Sun Solaris 8 (SPARC/x86) > > Impact: > ========= > > NSFOCUS Security Team has found a heap buffer overflow vulnerability in the > xlock shipped in Solaris system when handling some environment variables. > Exploitation of it would allow a local attacker to obtain root privilege. > Sun's patches to be released for this vulnerability: > > SPARC x86 > --------- --------- > Solaris 8 108652-38 108653-33 > Solaris 7 108376-30 108377-26 > Solaris 2.6 105633-60 106248-45 > > > Security patches of Sun Inc. are available at: > > http://sunsolve.sun.com/securitypatch > << All opinions expressed are mine, not the University's >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Foster National Center for Microscopy and Imaging Research Programmer/Analyst University of California, San Diego dfoster@ucsd.edu Department of Neuroscience, Mail 0608 (858) 534-7968 http://ncmir.ucsd.edu/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable." -- George Bernard Shaw
